--- 1/draft-ietf-dnsop-algorithm-update-09.txt 2019-04-20 06:13:11.189353727 -0700 +++ 2/draft-ietf-dnsop-algorithm-update-10.txt 2019-04-20 06:13:11.217354451 -0700 @@ -1,19 +1,19 @@ dnsop P. Wouters Internet-Draft Red Hat Obsoletes: 6944 (if approved) O. Sury Intended status: Standards Track Internet Systems Consortium -Expires: October 12, 2019 April 10, 2019 +Expires: October 22, 2019 April 20, 2019 Algorithm Implementation Requirements and Usage Guidance for DNSSEC - draft-ietf-dnsop-algorithm-update-09 + draft-ietf-dnsop-algorithm-update-10 Abstract The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 12, 2019. + This Internet-Draft will expire on October 22, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -65,21 +65,21 @@ 3.3. DS and CDS Algorithms . . . . . . . . . . . . . . . . . . 6 3.4. DS and CDS Algorithm Recommendation . . . . . . . . . . . 7 4. Implementation Status . . . . . . . . . . . . . . . . . . . . 7 4.1. DNSKEY Algorithms . . . . . . . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 6. Operational Considerations . . . . . . . . . . . . . . . . . 8 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. Normative References . . . . . . . . . . . . . . . . . . 9 - 9.2. Informative References . . . . . . . . . . . . . . . . . 9 + 9.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The DNSSEC signing algorithms are defined by various RFCs, including [RFC4034], [RFC5155], [RFC5702], [RFC5933], [RFC6605], [RFC8080]. DNSSEC is used to provide authentication of data. To ensure interoperability, a set of "mandatory-to-implement" DNSKEY algorithms are defined. This document obsoletes [RFC6944]. @@ -405,105 +405,105 @@ 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . - [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC - 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, - May 2017, . - -9.2. Informative References - [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. Rose, "Resource Records for the DNS Security Extensions", RFC 4034, DOI 10.17487/RFC4034, March 2005, . [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS Security (DNSSEC) Hashed Authenticated Denial of Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, . [RFC5702] Jansen, J., "Use of SHA-2 Algorithms with RSA in DNSKEY and RRSIG Resource Records for DNSSEC", RFC 5702, DOI 10.17487/RFC5702, October 2009, . - [RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of - GOST Signature Algorithms in DNSKEY and RRSIG Resource - Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July - 2010, . - [RFC6605] Hoffman, P. and W. Wijngaards, "Elliptic Curve Digital Signature Algorithm (DSA) for DNSSEC", RFC 6605, DOI 10.17487/RFC6605, April 2012, . - [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC - Operational Practices, Version 2", RFC 6781, - DOI 10.17487/RFC6781, December 2012, - . - - [RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC) - DNSKEY Algorithm Implementation Status", RFC 6944, - DOI 10.17487/RFC6944, April 2013, - . - [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August 2013, . [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 2013, . - [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: - Digital Signature Algorithm", RFC 7091, - DOI 10.17487/RFC7091, December 2013, - . - [RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating DNSSEC Delegation Trust Maintenance", RFC 7344, DOI 10.17487/RFC7344, September 2014, . - [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, - "DNSSEC Key Rollover Timing Considerations", RFC 7583, - DOI 10.17487/RFC7583, October 2015, - . - - [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running - Code: The Implementation Status Section", BCP 205, - RFC 7942, DOI 10.17487/RFC7942, July 2016, - . - [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, . [RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from the Parent via CDS/CDNSKEY", RFC 8078, DOI 10.17487/RFC8078, March 2017, . [RFC8080] Sury, O. and R. Edmonds, "Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC", RFC 8080, DOI 10.17487/RFC8080, February 2017, . + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, . + +9.2. Informative References + + [RFC5933] Dolmatov, V., Ed., Chuprina, A., and I. Ustinov, "Use of + GOST Signature Algorithms in DNSKEY and RRSIG Resource + Records for DNSSEC", RFC 5933, DOI 10.17487/RFC5933, July + 2010, . + + [RFC6781] Kolkman, O., Mekking, W., and R. Gieben, "DNSSEC + Operational Practices, Version 2", RFC 6781, + DOI 10.17487/RFC6781, December 2012, + . + + [RFC6944] Rose, S., "Applicability Statement: DNS Security (DNSSEC) + DNSKEY Algorithm Implementation Status", RFC 6944, + DOI 10.17487/RFC6944, April 2013, + . + + [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: + Digital Signature Algorithm", RFC 7091, + DOI 10.17487/RFC7091, December 2013, + . + + [RFC7583] Morris, S., Ihren, J., Dickinson, J., and W. Mekking, + "DNSSEC Key Rollover Timing Considerations", RFC 7583, + DOI 10.17487/RFC7583, October 2015, + . + + [RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running + Code: The Implementation Status Section", BCP 205, + RFC 7942, DOI 10.17487/RFC7942, July 2016, + . + [DNSKEY-IANA] "DNSKEY Algorithms", . [DS-IANA] "Delegation Signer Digest Algorithms", . Authors' Addresses